Action: Feed
Also available in Deutsch, Français, Русский
{{feed url="https://...[|https://...|https://...]" [title="News feed title|no"] "text" - displayed as title "no" - means show no title empty title - title taken from feed [max="x"] [time=1] 1 - show time tag of feed item 0 - hide time tag of feed item (default) [nomark=1] 1 - makes feed header h3 and feed-items headers h4 0 - makes it all default }}
Example
{{feed url="https://news.opensuse.org/feed/" time=1 max=2}}
Feed Title: openSUSE News
openSUSE addresses supply chain attack against xz compression library
openSUSE maintainers received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library.
Background
Andres Freund reported to Debian that the xz / liblzma library had been backdoored.
This backdoor was introduced in the upstream github xz project with release 5.6.0 in February 2024.
Our rolling release distribution openSUSE Tumbleweed and openSUSE MicroOS included this version between March 7 and March 28.
SUSE Linux Enterprise and openSUSE Leap are built in isolation from openSUSE Tumbleweed. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or openSUSE Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or openSUSE Leap.
Impact
Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.
As of March 29, reverse engineering of the backdoor is still ongoing.
Mitigations
openSUSE Maintainers have rolled back the version of xz on Tumbleweed on March 28 and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup.
The reversed version is versioned 5.6.1.revertto5.4
and can be queried with rpm -q liblzma5
.
User recommendation
For our openSUSE Tumbleweed users where SSH is exposed to the internet, we recommend installing fresh, as it’s unknown if the backdoor has been exploited.
Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible.
Also rotation of any credentials that could have been fetched from the system is highly recommended. Otherwise, simply update to openSUSE Tumbleweed 20240328 or later and reboot the system.
{{feed url="https://www.flickr.com/services/feeds/groups_pool.gne?id=82323459@N00&lang=de-de&format=atom" max=1 time=1}}
Feed Title: Pool von Japan Through the Eyes of Others
K3 III-310323-032
Steve Chasey Photography hat dem Pool ein Foto hinzugefügt: